EzDevInfo.com

How can I use Event Viewer to confirm login times filtered by User?

I'm required to log my start and finish times at work. Occasionally I forget to do this and had a bright idea that checking the Security events log would allow me to retrospectively ascertain my times.

Unfortunately, the logs are much bigger than I thought and take a while even to display in Event Viewer. Also, I tried filtering the logs by date and userid but so far this has yielded no results.

Assuming my idea is feasible, can anyone step-through what I'd need to do to retrieve the information I need?

UPDATE:

I followed @surfasb 's instructions and got the to point where I can see only the logins, however some of these are System-level (i.e. non-human) logins. I would like to see only my 'physical' logins (there would only be two or three such events on weekdays) and not all the other stuff.

I've tried putting my Windows username in the field as shown below using both domain\username and just username but this just filters out everything. Can you assist?

List of all Windows 7 Event IDs and Sources?

I'm looking for a complete list of Sources + Event IDs for Windows 7.

I known there's many web site with built-in search to find informations about a specific source + event id such as Eventid.net but what I'm looking for a complete list of these informations or, better, a software providing such information.

Many years ago I was using a program providing this information but, unfortunately I don't remember which one: may be from the Windows 2000 Resource Kit... (?) EDIT: I remember I was using this utilty in Windows XP Professional and the name was event"somethings" (for sure not eventvwr.msc or eventcreate.exe...)

My purpose is to create warnings with The Task scheduler when an important errors happen in the event log, such as Hard Disk errors and so on.

Why does my wireless network card need to be reset everytime I start or wake my machine?

Every time I start my notebook, it fails to connect to any wireless access points. I can still view available wireless networks and attempt to connect to them - but it always fails.

The only thing that seems to work is to visit Network and Sharing Center and click Troubleshoot Problems. After running through the troubleshooting wizard, the wireless network adapter gets reset and everything works perfectly after that.

I have made sure that Windows is using the newest driver available for the adapter and I also tried the driver that shipped with the notebook and the latest driver from Intel. All of them exhibit the same behavior.

Here are some pertinent messages from the event viewer:

The Network Connected Devices Auto-Setup service entered the stopped state.
Details about network adapter diagnosis: 

Network adapter Wi-Fi driver information:

   Description . . . . . . . . . . : Intel(R) Wireless WiFi Link 4965AGN
   Manufacturer  . . . . . . . . . : Intel Corporation
   Provider  . . . . . . . . . . . : Microsoft
   Version   . . . . . . . . . . . : 13.3.0.137
   Inf File Name . . . . . . . . . : C:\Windows\INF\netwlv64.inf
   Inf File Date . . . . . . . . . : Saturday, February 18, 2012  12:00:37 AM
   Section Name  . . . . . . . . . : Install_MPCIEX_GEN_4965_AGN_VISTA64_MOW1
   Hardware ID . . . . . . . . . . : pci\ven_8086&dev_4229&subsys_11008086
   Instance Status Flags . . . . . : 0x180200a
   Device Manager Status Code  . . : 0
   IfType  . . . . . . . . . . . . : 71
   Physical Media Type . . . . . . : 9

The Network Diagnostics Framework has completed the diagnosis phase of operation. The following repair option was offered: 

Helper Class Name: NdisHC

Root Cause: There might be a problem with the driver for the Wi-Fi adapter
Windows couldn't automatically bind the IP protocol stack to the network adapter. 

Root Cause Guid: {46ec1e49-ca70-4561-9ab7-009f6b1b3709} 

Repair option: Set up the wireless network adapter
Set up the network adapter to communicate with this network. This ensures that both Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) can be used on the network adapter. 

RepairGuid: {4406f2cc-9cbd-4098-a03a-e5c9810e4895} 

Seconds required for repair: 70 

Security context required for repair: 37

The Network Diagnostics Framework has completed the repair phase of operation. The following repair option or work-around was executed: 

Helper Class Name: NdisHC 

Repair option: Set up the wireless network adapter
Set up the network adapter to communicate with this network. This ensures that both Internet Protocol Version 4 (TCP/IPv4) and Internet Protocol Version 6 (TCP/IPv6) can be used on the network adapter. 

RepairGuid: {4406f2cc-9cbd-4098-a03a-e5c9810e4895} 

The repair option appears to have successfully fixed the diagnosed problem.

• OS: Windows 8 Consumer Preview 64-bit
• Wireless Adapter: Intel® Wireless WiFi Link 4965AGN

Note: this problem is very similar (but different) from one I had earlier with my wired network adapter.

Defragmentation Error, The Volume (C:) was not Optimized

Event ID 257

The volume (C:) was not optimized because an error was encountered:
The parameter is incorrect. (0x80070057)

I have Windows 8.1 64 Bit (HDD) and lately I noticed the above event in my Event Viewer. I get every day 3 or 4 of these errors. Anyone found a solution to this ?

• SFC /SCANNNOW didn't solve the problem: Resource Protection did not find any integrity violations.
  
  
  

Solutions that I did not try but might work

1. Basic steps to use diskpart to assign a drive letter to the system partition

   1. Open an elevated command prompt.

   2. Type diskpart and press Enter. You leave the standard command prompt and enter the diskpart utility. (Nothing exciting happens, don't worry.)

   3. Type list disk and press Enter to get a listing of the disks on the system. (More accurately, the disks visible to diskpart.) Figure out which disk contains the partition you want to assign a drive letter to.

   4. Type select disk X, where X is the applicable disk number.

   5. Type list partition and press Enter to get a listing of recognized partitions on disk X (from step 4). Your desired partition will the listed there. If not, go outside and enjoy nature.

   6. Type select partition Y, where Y is the applicable partition number.

   7. Type assign letter=Z, where Z is the drive letter you wish to assign. Diskpart should reply: DiskPart successfully assigned the drive letter or mount point.

   Once the system recognizes the drive letter (a reboot may help; as I mentioned, I did not reboot before the trim worked, but did have to wait awhile), you should be able to defrag/trim.

   To unassign the drive letter:

   A. Carry out steps 1 - 6 above.

   B. Type remove and press Enter. Diskpart should reply: DiskPart successfully removed the drive letter or mount point.

   I hope this helps.

1. I am not entirely sure why it helped, but after I had the same issue (0x80070057 during defrag, chkdsk reports no errors) reseting the journal seemed to fix it.

   Open an Administrator command prompt and make use of fsutil:

   fsutil usn deletejournal /D volume pathname
   fsutil usn createjournal m=max-value a=alloc-delta volume pathname
   

   Eg :
   fsutil usn deletejournal /D C:
   fsutil usn createjournal m=1000 a=100 C:

   Maybe it helps someone else as well.

Identifying Windows 10 \Device\Harddisk1\DR2

I'm getting errors in Windows 10's event log stating \Device\Harddisk1\DR2 drive controller is having a problem. I know that the hard disk numbers depend on the BIOS and do not match the physical connections.

How can I tell which physical device this actually is? diskpart lists these devices:

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          931 GB      0 B        *
  Disk 1    Online         1863 GB   927 GB

Is \Device\Harddisk1 the "Disk 1" listed here? Is there some other way to determine what Windows 10 means by Harddisk1 ?

What is DR2?

volsnap: The shadow copies of volume C: were aborted because of an IO failure on volume C:

I have the following error appearing in Event Viewer several times per day:

The shadow copies of volume C: were aborted because of an IO failure on volume C:.

source: volsnap

Nothing found in web search for this message

How to get Internet Explorer 9 to log into the Event Viewer logs

I'm trying to find a way to enable IE 9 to log events into the event viewer. We have some clients reporting problems and we think IE crashes. I'd like to be able to log this event.

Any Ideas?

find out time taken by individual group policy computer startup scripts

I wish to reduce the time taken by our computer group policy. How can I find out which scripts of which group policy are run when I boot a computer, and how much time they take each? And how do I find out how much time software installation takes for each individual policy?

We have about 40 group policies of which more than 10 are using computer startup scripts.

I already turned up the verbosity and when I boot a computer I see the message "Applying Software Installation policy", but with no further details on which software or policy is being processed.

The Windows Event viewer logs for group policy shows two events corresponding exactly to the time the above message was shown:

Event 4018 Starting Startup script for HM\DEVELOP$.

Event 5018 Completed Startup script for HM\DEVELOP$ in 21 seconds.

There aren't any group policy events in between.

All software is up to date. This makes me think it is not actually an issue with software installation, but with the computer startup scripts. Am I right?

Some of our computers are connected through a VPN with a fast internet connection. On these computers the same events are logged, but it takes 64 seconds. We feel this a bit too long.

I assume the event logs mean that each and every computer startup script is run during this time. This is not detailed enough to find the scripts that take the largest amount of time.

I already ran each of the scripts individually, but none of them takes a noticeable amount of time (command window shows and is quickly gone).

What's the most reliable way to log statup/shutdown times on a Vista PC?

A similar question titled How do I log startup and shut-down times in Windows 7? mentioned that PC startup and shutdown times can be recorded in the event viewer.

Events logged in the viewer are only recorded from August 2011 (despite the fact the computer has been used since 2008). The raw data is also difficult to visualise without exporting it and viewing the data in another program such as Excel.

I've searched Google for software but I can only find search items related to desktop assistance and parental security.

Event Viewer: Event ID 2 'Session "Circular Kernel Context Logger" failed to start with the following error: 0xC0000035' [duplicate]

I've had 40 of these errors in the last 7 days. Can anyone give an explanation of the error and what I might do to correct it? I'm running Windows 7 Ultimate 64 bit. As a possibly important aside I'm runnning a copy of Windows 7 that I've yet to activate (still trying to find the damn code before I cough up dough for the new one.)

Windows 7 (Home Premium): eventvwr.exe: How to log workstation locking and unlocking and screensaver invoked and dismissed events

I have found the following information pertaining to when a user starts and stops interacting with a Windows 7 Home Premium 64-bit PC. Theoretically, these events can be viewed in eventvwr.exe when run as Administrator.

However, I have tried locking and unlocking the workstation and nothing shows up in the log. What must I do to enable this behavior?

Logon Session Events

• 4624 Successful logon
• 4647 User initiated logoff
• 4625 Logon failure (See Logon Failure Codes)
• 4778 Remote desktop session reconnected
• 4779 Remote desktop session disconnected
• 4800 Workstation locked
• 4801 Workstation unlocked
• 4802 Screen saver invoked
• 4803 Screen saver dismissed

UPDATE:

@DavidPostill, I have tried the solution below, downloading and running the file you mentioned, and copying the C:\SysWOW64\gpedit.msc file to C:\Windows\System32\gpedit.exe, but I ran into the following problem:

The files C:\SysWOW64\GroupPolicy and C:\SysWOW64\GroupPolicyUsers could not be copied to C:\Windows\System32\GroupPolicy and C:\Windows\System32\GroupPolicyUsers because these folders already existed.

Here is what I get when I run gpedit.msc:

What is Event ID 33: SpellChecker in Windows 7 and 8 about?

On newly installed Windows machines (Windows 8 Pro, Windows 7) I've seen event id 33 regularly appearing in the event viewer with this message:

Failed to add hardcoded change pair "aids -> aids" to engine: Not implemented. The spell checker will still be available.

This are the Details of one of the Windows 8 machines:

- System 

  - Provider 

   [ Name]  Microsoft-Windows-SpellChecker 
   [ Guid]  {B2FCD41F-9A40-4150-8C92-B224B7D8C8AA} 

   EventID 33 

   Version 0 

   Level 2 

   Task 4 

   Opcode 0 

   Keywords 0x2000000000000000 

  - TimeCreated 

   [ SystemTime]  2013-03-07T09:49:45.428726200Z 

   EventRecordID 11089 

   Correlation 

  - Execution 

   [ ProcessID]  8164 
   [ ThreadID]  2624 

   Channel Application 

   Computer <my pc> 

  - Security 

   [ UserID]  <my user> 


- EventData 

  First aids 
  Second aids 
  hr -2147467263 

For your information: All Windows versions were clean installed or some upgraded (in case of Windows 8).

Has anyone else seen this also? Because this 'hardcoded change pair' looks strange to me, unless somebody from Microsoft wanted to make a joke ;-)

Windows freezes at startup & cannot start sptd

Recently right after I enter the Windows password, the computer froze at welcome screen, I then entered Safe Mode to restore system and then everything works fine

But today I started computer again and the same problem re-appeared. I decided to look carefully at Event Viewer in safe mode and get the error:

Driver detected an internal error in its data structures
Source sptd
Event ID 4

I followed some instructions on the Internet and uninstalled Daemon Tools Lite, right after that I restarted Windows normally, then everything works fine again

I want to know that what has been happening to the sptd driver, what to do to fix this problem permanently and how I can use any other CD ROM emulator?

Note that I installed Daemon Tools for a very long time without error until recent days, it good though. As writing this topic, I did not install any CD ROM emulator since I think the problem will occurred again if I do so, I will wait for help from you guys

what physical disk is referenced by Event 7, Disk error "The device, \Device\Harddisk2\DR2, has a bad block." [duplicate]

Possible Duplicate:
How do I determine which HD is involved in the Event Viewer?

NOT a duplicate

well, maybe the general premise is a duplicate, but the linked question is not answered, only has 1 answer (by the closer, yesterday) regarding USB drives, is old, and my question has more technical information.

more "not a duplicate" details

1) I do not have any USB drives attached, thus the answer in How do I determine which HD is involved in the Event Viewer? is not related.

2) the answer in How do I determine which HD is involved in the Event Viewer? does NOT say how to determine what physical drive is which, especially after I gave info in my comments (drive2 != channel 0, target 1)

so, not sure how to reopen this (maybe i can not) but again, this is not a duplicate. my question was not already answered.

=====================================

spec details:

Running Windows 2008 R2 server.

I have 5 physical disks in my system.

4 2TB disks are setup in a raid 5 (software) configuration, 1 320GB disk with the OS

question details:

When doing the initial disk sync of my Raid 5, I got this Disk Event 7 come up. Unfortunatly in Disk Manager I saw yellow exclamations on two disks (not just one) and so am uncertain which disk is actually the one mentioned by this message.

Does anyone know how to find out which physical disk is referenced as "\Device\Harddisk2\DR2"?

The only info I found on microsoft's site was about Win2000/NT, and the info they give does not work in Win2k8.

Windows 10 Search, Cortana, and Edge crashing

I have a relatively new install of Win10 Enterprise (Bitlocker enabled - hardware encryption with Samsung EVO 850 500 GB SSD) on a Lenovo T450s laptop, and despite having not set it up much yet for myself, I recently noticed that it's experiencing some major issues with SearchUI.exe and microsoftedgecp.exe (Microsoft Edge) - specifically that they are crashing due to edgehtml.dll (I think). When you click on the start menu, it hesitates for a second before launching it, and you can't type to search for anything. Clicking on Cortana does nothing, and Edge itself will crash within a few seconds of launching. Here are a few of the event viewer entries:

-

Faulting application name: microsoftedgecp.exe, version: 11.0.10586.20, time stamp: 0x56540c35
Faulting module name: edgehtml.dll, version: 11.0.10586.162, time stamp: 0x56cd3d95
Exception code: 0x88985004
Fault offset: 0x00000000004be12a
Faulting process id: 0x3bf0
Faulting application start time: 0x01d18efa5270bbae
Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
Faulting module path: C:\Windows\SYSTEM32\edgehtml.dll
Report Id: 8d733596-7679-4146-a5bc-32e58b1a4129
Faulting package full name: Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe
Faulting package-relative application ID: MicrosoftEdge

-

Faulting application name: microsoftedgecp.exe, version: 11.0.10586.20, time stamp: 0x56540c35
Faulting module name: edgehtml.dll, version: 11.0.10586.162, time stamp: 0x56cd3d95
Exception code: 0x88985004
Fault offset: 0x00000000004be12a
Faulting process id: 0x47c4
Faulting application start time: 0x01d18efa51ded1e9
Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
Faulting module path: C:\Windows\SYSTEM32\edgehtml.dll
Report Id: c75874b5-d314-4b32-9abe-8f97492f1845
Faulting package full name: Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe
Faulting package-relative application ID: MicrosoftEdge

-

Faulting application name: microsoftedgecp.exe, version: 11.0.10586.20, time stamp: 0x56540c35
Faulting module name: edgehtml.dll, version: 11.0.10586.162, time stamp: 0x56cd3d95
Exception code: 0x88985004
Fault offset: 0x00000000004be12a
Faulting process id: 0x1a8
Faulting application start time: 0x01d18efa510f8f66
Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
Faulting module path: C:\Windows\SYSTEM32\edgehtml.dll
Report Id: a2a299bd-ea1e-4f98-a430-6bdfb61e5109
Faulting package full name: Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe
Faulting package-relative application ID: MicrosoftEdge

-

Faulting application name: microsoftedgecp.exe, version: 11.0.10586.20, time stamp: 0x56540c35
Faulting module name: edgehtml.dll, version: 11.0.10586.162, time stamp: 0x56cd3d95
Exception code: 0x88985004
Fault offset: 0x00000000004be12a
Faulting process id: 0x3640
Faulting application start time: 0x01d18efa510890c3
Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\microsoftedgecp.exe
Faulting module path: C:\Windows\SYSTEM32\edgehtml.dll
Report Id: db08f14e-8d55-49e4-b80c-3b9b56a21726
Faulting package full name: Microsoft.MicrosoftEdge_25.10586.0.0_neutral__8wekyb3d8bbwe
Faulting package-relative application ID: MicrosoftEdge

-

Faulting application name: SearchUI.exe, version: 10.0.10586.63, time stamp: 0x568b1fdc
Faulting module name: edgehtml.dll, version: 11.0.10586.162, time stamp: 0x56cd3d95
Exception code: 0x88985004
Fault offset: 0x00000000004be12a
Faulting process id: 0x374c
Faulting application start time: 0x01d18efa2d6609c6
Faulting application path: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
Faulting module path: C:\Windows\SYSTEM32\edgehtml.dll
Report Id: 34230882-ec14-44b9-8ce0-1b4f30e59849
Faulting package full name: Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: 

-

Fault bucket 133301214499, type 5
Event Name: MoAppCrash
Response: Not available
Cab Id: 0

Problem signature:
P1: Microsoft.Windows.Cortana_1.6.1.52_neutral_neutral_cw5n1h2txyewy
P2: praid:CortanaUI
P3: 10.0.10586.63
P4: 568b1fdc
P5: edgehtml.dll
P6: 11.0.10586.162
P7: 56cd3d95
P8: 88985004
P9: 00000000004be12a
P10: 

Attached files:
C:\Users\<REDACTED>\AppData\Local\Temp\WER4DA8.tmp.WERInternalMetadata.xml

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Microsoft.Window_897442cd215ce5bc4ce35642dc9bd6973fda99_00c55871_3150500a

Analysis symbol: 
Rechecking for solution: 0
Report Id: 34230882-ec14-44b9-8ce0-1b4f30e59849
Report Status: 0
Hashed bucket: eef41b25bfe514042d78e156ab16e2cf

I've tried SFC with no success, and the issue persists even on brand new different user accounts. I've been scouring online trying to find a solution with no success either. My next step is to perhaps try a Windows Repair, but would prefer to avoid that if possible - plus no guarantees it even fixes the issue. Any thoughts/suggestions on what to try next?

Here is some additional information from Microsoft's forum: http://answers.microsoft.com/en-us/windows/forum/apps_windows_10-msedge/edgehtmldll-crashes-disable-searchui-and-edge/ed0f0fe8-e739-4900-80b3-121991bda5d4?page=1&tab=question&status=AllReplies

UPDATE (4/6/16)

Results from "sfc /scannow" and "Dism /Online /Cleanup-Image /RestoreHealth"

C:\Windows\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection did not find any integrity violations.

C:\Windows\system32>Dism /Online /Cleanup-Image /RestoreHealth

Deployment Image Servicing and Management tool
Version: 10.0.10586.0

Image Version: 10.0.10586.0

[==========================100.0%==========================]
The restore operation completed successfully.
The operation completed successfully.

UPDATE-2 (4/6/16)

Results from Process Monitor when launching Microsoft Edge (filtered for Path begins with C:\windows\fonts) :

"Time of Day","Process Name","PID","Operation","Path","Result","Detail"
"5:40:51.5499877 PM","Explorer.EXE","4448","CloseFile","C:\Windows\Fonts","SUCCESS",""
"5:40:51.5532395 PM","Explorer.EXE","4448","CloseFile","C:\Windows\Fonts","SUCCESS",""
"5:41:11.5068092 PM","MicrosoftEdge.exe","16152","CreateFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Random Access, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"5:41:11.5069770 PM","MicrosoftEdge.exe","16152","QueryInformationVolume","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","VolumeCreationTime: 2/21/2016 10:51:06 PM, VolumeSerialNumber: 1CE0-E6D8, SupportsObjects: True, VolumeLabel: "
"5:41:11.5070573 PM","MicrosoftEdge.exe","16152","QueryAllInformationFile","C:\Windows\Fonts\segoeui_1.ttf","BUFFER OVERFLOW","CreationTime: 4/6/2016 5:39:20 PM, LastAccessTime: 4/6/2016 5:39:20 PM, LastWriteTime: 10/30/2015 3:17:59 AM, ChangeTime: 4/6/2016 1:01:58 PM, FileAttributes: A, AllocationSize: 913,408, EndOfFile: 910,052, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x1400000001a87b, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word"
"5:41:11.5071492 PM","MicrosoftEdge.exe","16152","CreateFileMapping","C:\Windows\Fonts\segoeui_1.ttf","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE"
"5:41:11.5072010 PM","MicrosoftEdge.exe","16152","QueryStandardInformationFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","AllocationSize: 913,408, EndOfFile: 910,052, NumberOfLinks: 1, DeletePending: False, Directory: False"
"5:41:11.5073179 PM","MicrosoftEdge.exe","16152","CreateFileMapping","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","SyncType: SyncTypeOther"
"5:41:11.5121628 PM","svchost.exe","456","CreateFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Random Access, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"5:41:11.5122610 PM","svchost.exe","456","QueryInformationVolume","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","VolumeCreationTime: 2/21/2016 10:51:06 PM, VolumeSerialNumber: 1CE0-E6D8, SupportsObjects: True, VolumeLabel: "
"5:41:11.5123003 PM","svchost.exe","456","QueryAllInformationFile","C:\Windows\Fonts\segoeui_1.ttf","BUFFER OVERFLOW","CreationTime: 4/6/2016 5:39:20 PM, LastAccessTime: 4/6/2016 5:39:20 PM, LastWriteTime: 10/30/2015 3:17:59 AM, ChangeTime: 4/6/2016 1:01:58 PM, FileAttributes: A, AllocationSize: 913,408, EndOfFile: 910,052, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x1400000001a87b, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word"
"5:41:11.5123534 PM","svchost.exe","456","CreateFileMapping","C:\Windows\Fonts\segoeui_1.ttf","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE"
"5:41:11.5123869 PM","svchost.exe","456","QueryStandardInformationFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","AllocationSize: 913,408, EndOfFile: 910,052, NumberOfLinks: 1, DeletePending: False, Directory: False"
"5:41:11.5124542 PM","svchost.exe","456","CreateFileMapping","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","SyncType: SyncTypeOther"
"5:41:11.5126484 PM","svchost.exe","456","CreateFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","Desired Access: Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"5:41:11.5127537 PM","svchost.exe","456","QuerySecurityFile","C:\Windows\Fonts\segoeui_1.ttf","BUFFER OVERFLOW","Information: DACL, DACL Unprotected"
"5:41:11.5128072 PM","svchost.exe","456","CloseFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS",""
"5:41:11.5129688 PM","svchost.exe","456","CreateFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","Desired Access: Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"5:41:11.5130375 PM","svchost.exe","456","QuerySecurityFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","Information: DACL, DACL Unprotected"
"5:41:11.5131821 PM","svchost.exe","456","CloseFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS",""
"5:41:11.7920593 PM","MicrosoftEdge.exe","16152","CreateFile","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Random Access, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"5:41:11.7921820 PM","MicrosoftEdge.exe","16152","QueryInformationVolume","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS","VolumeCreationTime: 2/21/2016 10:51:06 PM, VolumeSerialNumber: 1CE0-E6D8, SupportsObjects: True, VolumeLabel: "
"5:41:11.7922503 PM","MicrosoftEdge.exe","16152","QueryAllInformationFile","C:\Windows\Fonts\segoeuisl_1.ttf","BUFFER OVERFLOW","CreationTime: 4/6/2016 5:39:37 PM, LastAccessTime: 4/6/2016 5:39:37 PM, LastWriteTime: 10/30/2015 3:18:01 AM, ChangeTime: 4/6/2016 1:01:58 PM, FileAttributes: A, AllocationSize: 802,816, EndOfFile: 802,408, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x70900000000a833, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word"
"5:41:11.7923204 PM","MicrosoftEdge.exe","16152","CreateFileMapping","C:\Windows\Fonts\segoeuisl_1.ttf","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE"
"5:41:11.7923699 PM","MicrosoftEdge.exe","16152","QueryStandardInformationFile","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS","AllocationSize: 802,816, EndOfFile: 802,408, NumberOfLinks: 1, DeletePending: False, Directory: False"
"5:41:11.7924721 PM","MicrosoftEdge.exe","16152","CreateFileMapping","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS","SyncType: SyncTypeOther"
"5:41:11.7960577 PM","svchost.exe","456","CreateFile","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Random Access, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"5:41:11.7961492 PM","svchost.exe","456","QueryInformationVolume","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS","VolumeCreationTime: 2/21/2016 10:51:06 PM, VolumeSerialNumber: 1CE0-E6D8, SupportsObjects: True, VolumeLabel: "
"5:41:11.7961929 PM","svchost.exe","456","QueryAllInformationFile","C:\Windows\Fonts\segoeuisl_1.ttf","BUFFER OVERFLOW","CreationTime: 4/6/2016 5:39:37 PM, LastAccessTime: 4/6/2016 5:39:37 PM, LastWriteTime: 10/30/2015 3:18:01 AM, ChangeTime: 4/6/2016 1:01:58 PM, FileAttributes: A, AllocationSize: 802,816, EndOfFile: 802,408, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x70900000000a833, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word"
"5:41:11.7964009 PM","svchost.exe","456","CreateFileMapping","C:\Windows\Fonts\segoeuisl_1.ttf","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE"
"5:41:11.7964361 PM","svchost.exe","456","QueryStandardInformationFile","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS","AllocationSize: 802,816, EndOfFile: 802,408, NumberOfLinks: 1, DeletePending: False, Directory: False"
"5:41:11.7964973 PM","svchost.exe","456","CreateFileMapping","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS","SyncType: SyncTypeOther"
"5:41:11.7968181 PM","svchost.exe","456","CreateFile","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS","Desired Access: Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"5:41:11.7969056 PM","svchost.exe","456","QuerySecurityFile","C:\Windows\Fonts\segoeuisl_1.ttf","BUFFER OVERFLOW","Information: DACL, DACL Unprotected"
"5:41:11.7969498 PM","svchost.exe","456","CloseFile","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS",""
"5:41:11.7971336 PM","svchost.exe","456","CreateFile","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS","Desired Access: Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"5:41:11.7971948 PM","svchost.exe","456","QuerySecurityFile","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS","Information: DACL, DACL Unprotected"
"5:41:11.7972224 PM","svchost.exe","456","CloseFile","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS",""
"5:41:15.2784017 PM","svchost.exe","456","CloseFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS",""
"5:41:15.3094061 PM","svchost.exe","456","CloseFile","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS",""
"5:41:18.2358560 PM","svchost.exe","456","CreateFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Random Access, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"5:41:18.2359617 PM","svchost.exe","456","QueryInformationVolume","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","VolumeCreationTime: 2/21/2016 10:51:06 PM, VolumeSerialNumber: 1CE0-E6D8, SupportsObjects: True, VolumeLabel: "
"5:41:18.2360139 PM","svchost.exe","456","QueryAllInformationFile","C:\Windows\Fonts\segoeui_1.ttf","BUFFER OVERFLOW","CreationTime: 4/6/2016 5:39:20 PM, LastAccessTime: 4/6/2016 5:39:20 PM, LastWriteTime: 10/30/2015 3:17:59 AM, ChangeTime: 4/6/2016 1:01:58 PM, FileAttributes: A, AllocationSize: 913,408, EndOfFile: 910,052, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x1400000001a87b, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word"
"5:41:18.2360733 PM","svchost.exe","456","CreateFileMapping","C:\Windows\Fonts\segoeui_1.ttf","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: PAGE_EXECUTE|PAGE_NOCACHE"
"5:41:18.2361161 PM","svchost.exe","456","QueryStandardInformationFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","AllocationSize: 913,408, EndOfFile: 910,052, NumberOfLinks: 1, DeletePending: False, Directory: False"
"5:41:18.2362000 PM","svchost.exe","456","CreateFileMapping","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","SyncType: SyncTypeOther"
"5:41:18.2363709 PM","svchost.exe","456","CreateFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","Desired Access: Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"5:41:18.2364383 PM","svchost.exe","456","QuerySecurityFile","C:\Windows\Fonts\segoeui_1.ttf","BUFFER OVERFLOW","Information: DACL, DACL Unprotected"
"5:41:18.2364673 PM","svchost.exe","456","CloseFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS",""
"5:41:18.2366396 PM","svchost.exe","456","CreateFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","Desired Access: Read Control, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"
"5:41:18.2367159 PM","svchost.exe","456","QuerySecurityFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS","Information: DACL, DACL Unprotected"
"5:41:18.2367440 PM","svchost.exe","456","CloseFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS",""
"5:41:21.2377432 PM","svchost.exe","456","CloseFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS",""
"5:41:21.5793870 PM","MicrosoftEdge.exe","16152","CloseFile","C:\Windows\Fonts\segoeui_1.ttf","SUCCESS",""
"5:41:21.5826254 PM","MicrosoftEdge.exe","16152","CloseFile","C:\Windows\Fonts\segoeuisl_1.ttf","SUCCESS",""